>Аська может по _абсолютно_ любому порту работать, не только по 5190.
>Либо сервера авторизации блокировать, либо iptables + L7 (если линух, конечно). Не могу найти сервера авторизации этих прог. Можно поподробнее о iptables + L7 как раз такая связка.
# Simple iptables firewall
# Hennadiy Karpov <hk@on.com.ua>, 2002
########################### PACKET FILTERING ##################################
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
#--------------------------- GENERIC RULES ------------------------------------
# allow localhost communication
-A INPUT -i lo -j ACCEPT
# allow any connection from trusted network to firewall box
# $METACONF#2$ %\beth\d%(lan-if-name)%
-A INPUT -i eth1 -j ACCEPT
# deny ICMP redirects (type 5) from untrusted networks
-A INPUT -p icmp -m icmp --icmp-type redirect -j DROP
-A FORWARD -p icmp -m icmp --icmp-type redirect -j DROP
# allow any established connection
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A FORWARD -m state --state ESTABLISHED,RELATED --dport !443 -j ACCEPT
#--------------------------- SPECIAL RULES ------------------------------------
# allow direct access to any Internet service for any internal user
# $METACONF#2$ %\beth\d%(lan-if-name)%
#-A FORWARD -i eth0 -j ACCEPT
# allow direct access to Internet services for some internal users
#-A FORWARD -p udp -s 10.0.0.1 --dport 53 -j ACCEPT
#-A FORWARD -p tcp -s 10.0.0.1 --dport 21 -j ACCEPT
#-A FORWARD -p tcp -s 10.0.0.1 --dport 80 -j ACCEPT
#-A FORWARD -p tcp -s 10.0.0.1 --dport 25 -j ACCEPT
#-A FORWARD -p udp -s 10.0.0.1 --dport 53 -j ACCEPT
#--------------------------- PUBLIC SERVICES ----------------------------------
# ICMP echo-requests (ping)
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# DNS requests
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# DNS zone transfers
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# SMTP
#-A INPUT -p tcp --dport 25 -j ACCEPT
# HTTP
#-A INPUT -p tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8081 -s 82.144.192.166 -j ACCEPT
# HTTPS/Webmin
#-A INPUT -p tcp --dport 443 -j ACCEPT
# FTP
-A INPUT -p tcp -m tcp -s 192.168.2.46/24 --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.2.46/24 --dport 20 -j ACCEPT
# kill ICQ пытался закрыть, потом сделал это в squid
#-D login.icq.com -m multiport --dport 443,5190 -j DROP
# kill Kazaa
#-A FORVARD -m string --string "X-Kazaa-" -j REGECT
#-------------------------------- LOGGING ------------------------------------
# special chain for logging
-N LOGIT
# don't log ident, HTTP, HTTPS
-A LOGIT -p tcp -m tcp --dport 113 -j RETURN
-A LOGIT -p tcp -m tcp --dport 80 -j RETURN
-A LOGIT -p tcp -m tcp --dport 443 -j RETURN
-A LOGIT -p tcp -m state --state NEW,INVALID -m limit --limit 1/m -j LOG
# log denied packets
#-A INPUT -j LOGIT
-A FORWARD -j LOGIT
# reject denied connection
-A INPUT -m state --state NEW -j REJECT
-A FORWARD -m state --state NEW -j REJECT
COMMIT
########################## NAT & MASQUERADING #################################
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
# masquerading
# $METACONF#2$ %\b(?:eth|ppp)\d%(inet-if-name)%
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
Вариант для распечатки
Настройка Squid и других прокси серверов (Public)
(??) on 13-Окт-06, 18:19 
